PCI DSS audits can be a nightmare or an opportunity

Move past the debate over whether PCI DSS compliance really makes an organization more secure and focus on how put it to work for you. It comes down to this: If you are a CISO, how can you turn the QSA audit experience to your advantage, rather than a waste of money (six or seven figures if you are a Level One organization). The formula is largely a matter of applying common sense, which is too often lacking.

The first lesson: “Don’t be a (bad word).” Copping a bad attitude towards the QSA is a severely career limiting move, warned Martin Fisher, director of information security, WellStar Health System, at a Source Boston session. Establish a good relationship with the QSA from the get-go, and the assessor will work with you to work out the bumps in the audit and give you the benefit of the doubt when questions arise over whether, for example, a given set of controls or procedures constitute compliance. If you are a (bad word) to the QSA, the engagement will be drawn out and adversarial, you will get dinged more than you may deserve, you won’t get a good Report on Compliance (ROC) and the CIO or CEO will ask you if you are actually doing your job.

The QSA audit should be viewed as a security consulting assessment, rather than something to get over with, said Fisher and Michelle Klinger, senior consultant at EMC, representing the QSA perspective. If you are spending hundreds of thousands or upwards of a million dollars on a QSA engagement, get your money’s worth. Use the audit as an opportunity to identify security gaps, as opposed to simply dealing with compliance requirements, and strengthen your case for additional resources.

A successful engagement starts with choosing the right QSA. The CISO usually can’t hire the auditing firm, but can and must choose the specific assessor. Interview and screen candidates the same way you would evaluate a prospective employee. Select someone who impresses you with their competence and will work well with your team. It’s important to choose a QSA who is not a (bad word).

Be prepared. Assemble all the documents you believe the QSA might require. Provide dates to make the documentation more credible, so that for instance, files, configuration data, screenshots etc., reflect as close as you can come to a real-time reflection of your current security posture. Map the documents to specific PCI DSS requirements to make the QSA’s job easier and save time and effort for your team. When the QSA has to go on a fishing expedition for information, everyone’s valuable time is wasted.

If you just throw documents at them, they might have no idea what requirements you are trying to satisfy and will bombard you with questions,” Klinger admonished.

“You are going to (another bad word) them,” said Martin. “Then it’s game over for you when QSA’s go rogue.”

Good prep also means identifying the right people within your organization based on the agenda (make sure there is one) and estimate of the time required from each (make sure the QSA tells you).

Be honest during the audit and direct your team to do the same. This doesn’t mean a rending-of-clothing confession of sins, but above all, don’t lie to the QSA. It will end badly for everyone.

An open process, conducted professionally, will make it easier to resolve disagreements or misunderstandings, expedite the process and identify the real security weaknesses.

After the audit, insist on a complete list of finding of problems and recommendations for remediation from the QSA, usually in a spreadsheet. This enables the CISO to begin working on remediation, give management an early summary of the assessment and may help justify security investments.